The problem is lurking in recff_cdata_arith that under some conditions
sets operands references in the array sp to 0.
However neither crec_arith_int64 nor crec_arith_ptr seem check for that.
From my reading of the history the problem is likely to originate from
this commit:
https://github.com/LuaJIT/LuaJIT/commit/19b69f21d409375ad8362c04186b246c1749fc8e
I suspect something like
diff --git a/src/lj_crecord.c b/src/lj_crecord.c
index d568b20..87744a6 100644
--- a/src/lj_crecord.c
+++ b/src/lj_crecord.c
@@ -1249,7 +1249,7 @@ void LJ_FASTCALL recff_cdata_call(jit_State *J,
RecordFFData *rd)
static TRef crec_arith_int64(jit_State *J, TRef *sp, CType **s, MMS mm)
{
- if (ctype_isnum(s[0]->info) && ctype_isnum(s[1]->info)) {
+ if (sp[0] && sp[1] && ctype_isnum(s[0]->info) && ctype_isnum(s[1]->info)) {
IRType dt;
CTypeID id;
TRef tr;
@@ -1307,7 +1307,9 @@ static TRef crec_arith_ptr(jit_State *J, TRef
*sp, CType **s, MMS mm)
{
CTState *cts = ctype_ctsG(J2G(J));
CType *ctp = s[0];
- if (ctype_isptr(ctp->info) || ctype_isrefarray(ctp->info)) {
+ if (!sp[0] || !sp[1]) {
+ return 0;
+ } else if (ctype_isptr(ctp->info) || ctype_isrefarray(ctp->info)) {
if ((mm == MM_sub || mm == MM_eq || mm == MM_lt || mm == MM_le) &&
(ctype_isptr(s[1]->info) || ctype_isrefarray(s[1]->info))) {
if (mm == MM_sub) { /* Pointer difference. */
it the fix. However, because original intent is not entirely clear to
me from the cursory reading such fix might be wrong.
Hope this helps.
Cheers,
